22 December 2009 - Post by:Lauren Vose
You would be forgiven for wondering what the kidnap of a penguin and data protection have in common.
At the NAPF conference the other week I became the proud owner of a small rubber penguin which was immediately installed on my desk. I presumed she would live a happy life there, but sadly I was wrong. On Monday morning, I arrived at my desk to discover the penguin missing, and later that day I received a ransom note demanding cake for her return. Her kidnap has taught me the importance of adequate security measures, which leads me to data protection.
The recent ruling by the Information Commissioner’s Office that Verity Trustees breached the Data Protection Act is a timely reminder to trustees that they can’t afford to presume that the data they are responsible for is secure. You need to take active steps to make sure it is. In the case of Verity Trustees a laptop containing the members’ details was stolen from Verity’s software provider. Yes, the laptop had been kept in a locked room, but unfortunately the personal data that was on it was unencrypted, which was in breach of the company’s data protection policies.
Of course, using an administrator doesn’t relieve trustees from their statutory duties in relation to personal data. They remain responsible for it and must take specific steps to protect it. So it makes sense when choosing an administrator to make sure that they can and will keep information secure. That means asking questions about policies and processes, and checking that respective obligations are properly documented in the admin agreement. The agreement should ensure that the administrator only processes data in accordance with the trustees’ instructions, and require all data to be kept securely. Don’t presume that a standard form admin agreement is going to be comprehensive enough. We’ve seen a few draft agreements recently which have been somewhat lacking when it comes to data protection.
It isn’t a one-off obligation either; the ICO points out that trustees are expected to check that their administrators are following through on their obligations and that their security is working. That means quizzing providers on the effectiveness of their security arrangements and making spot checks on them.
Perhaps trustees should make some time in the new year to ensure their data protection policies are adequate and to check that their agreements with third parties are up to scratch on data protection?
You will be relieved to hear that the penguin was safely returned when I paid the ransom, but rest assured I too will be reviewing my policies, and intend to up my security arrangements.
Lauren Vose is an associate at Allen & Overy LLP.